AWS VPC NACL Allows Traffic From Blocked Ports

Ensure AWS VPC NACL blocks traffic from blocked ports.

Policy Details

Policy Subtype
Build
Severity
Medium
Template Type
Terraform

Build Rules

AWS VPC NACL allows traffic from blocked ports.
JSON Query:
$.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow
Recommendation:
Recommended solution for not allowing traffic from blocked ports in AWS VPC NACL.
Ensure that ingress traffic is not allowed from blocked ports in AWS VPC NACL. Please make sure the value for "cidr_blocks" is not equal to "0.0.0.0/0" or "::/0" for any of the blocked ports under ingress block.
For example:
"aws_network_acl": [ { "<network_acl_name>": [ { "ingress": [ { "action": "deny", "cidr_block": "0.0.0.0/0", "from_port": 53, "protocol": "-1", "rule_no": 1200, "to_port": 53 } ], "vpc_id": "${aws_vpc.demo.id}" } ] } ]

Recommended For You